EvilZone

Hacking and Security => Hacking and Security => : shadow125 June 22, 2015, 01:13:04 AM

: is session hijacking still possible nowadays?
: shadow125 June 22, 2015, 01:13:04 AM

I was watching some pentesting courses  I've downloaded and one of them talked about session hijacking, but the course is from 3 years ago and now https is standard. So I was wondering, is session hijacking still possible in any way? Or does it work with http only?

: Re: is session hijacking still possible nowadays?
: ColonelPanic June 22, 2015, 02:46:31 AM

Session hijacking is possible anytime you can intercept, predict or otherwise acquire the session ID. So, if someone is using really awful session IDs that you can predict, you can certainly do it over HTTPS. Additionally, there's the "Secure" flag on cookies. If it's not set, the data will be visible over HTTP. Even if it is set, you can overwrite it with a plaintext cookie.

: Re: is session hijacking still possible nowadays?
: mr.sinister July 27, 2015, 08:33:12 PM

ssl strip and a mitm is needed mostly for session hijacking
but most sites have different cookies for differnet parts of the site.
example
with yahoo you can capture session data and be 'logged in' on the search page but when you goto the emai section  it askes you for the password.
prpbably because of the 'hacky'nature of session.
but with other more basic sites that use simple logged in or not cookies it is very possable still.
on andoird intercepter-ng  is great at it
set sslstrip run the mitm and wait for a cookie
press the cookie and the site loads with the cookie set and you are logged in as whatever user.
it worked with facebook messenger app but as i said before moveing from once site service to another is a bit dodgy in recent years

: Re: is session hijacking still possible nowadays?
: _Enigma July 30, 2015, 07:00:04 AM

Had a funny situation where a friend was working on a site that passed a sessionID in the URL from a GET request and the only other cookie relevant to the session literally had the value of the username. All of this done over HTTP.... Sniff one packet and know their username and boom, hello session.

: Re: is session hijacking still possible nowadays?
: proxx July 30, 2015, 10:37:11 AM

Before the fix you could session hijack evilzone as demonstrated:
https://evilzone.org/hacking-and-security/session-hijacking-evilzone/msg72536/#msg72536

This is not too long ago actually.
Pretty sure many websites still have similar flaws.

: Re: is session hijacking still possible nowadays?
: insane August 02, 2015, 04:10:09 AM

Yes, session hijacking is absolutely still possible. All session hijacking is is using someone else's session ID as your own, making a server think you're that person. Doesn't really matter how you obtain the session ID.

: Re: is session hijacking still possible nowadays?
: techb August 02, 2015, 05:17:27 AM

On the LAN side of things, if you can predict the next seq numbers then sessions highjacking is still very much possible.